Why Did it Take So Long to Notify Regulators and Affected Patients?
A small rural Alabama hospital is notifying more than 61,000 patients that their sensitive information was potentially compromised in an October 2023 hacking incident. The hospital attributed the 10-month-long lag between discovery of the incident and notification to difficulties in identifying the individuals and the information affected in the hack.
See Also: 2024 Gartner® Critical Capabilities for Single-Vendor SASE
Medical Center Barbour, a 74-bed acute care hospital in Eufaula, Alabama, reported the incident on Aug. 22 as affecting 61,014 individuals.
As of Monday, the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website did not yet show a report to federal regulators by Medical Center Barbour for the incident.
In a breach notice posted on its website Thursday, Medical Center Barbour said that on Oct. 29, 2023 it detected suspicious activity in its network environment.
The investigation, concluded on Dec. 8, 2023, determined that an unauthorized actor accessed certain files and data stored within the hospital’s network. Medical Center Barbour said it then began an internal review of the data stored on the affected server at the time of the incident.
“After our own review, on May 21, MCB engaged a reputable data mining vendor, to assist in the time consuming and detailed reconstruction and review of the data stored on the server at the time of this incident to better understand whose information was affected.”
On July 31, the data mining vendor identified individuals whose sensitive data was included within the compromised data.
The information potentially affected varies among individuals but may include name, date of birth, address, health insurance information, driver’s license and medical information. For a smaller subset of individuals, potentially compromised data include Social Security numbers, passport information, and financial information impacted.
Under the HIPAA breach reporting rule, regulated entities must notify affected individuals no later than 60 days upon discovery of a HIPAA breach, and report the incident to HHS’ Office for Civil Rights within that same time frame when the breach affected 500 or more individuals.
If affected individuals have not all been identified for notification within the 60 day-timeframe, covered entities should post a substitute HIPAA breach notice on its public website.
